Posts Java keystore and jar signing

Java keystore and jar signing

I was using Java 6 for developing java applet.

Since applet jar file has to be signed before deploying it on the server. I created a self signed keystore.

The applet was working fine with java 6.

During first load applet displayed a warning with a checkbox option to allow the applet to run in the future without showing the warning.

Due to Java 6 security issues I upgraded to java 7 update 51.

This time however I got a scary warning (red and bold message) and no option to allow applet to run without displaying the warning in future.

Apparently java 7 does not like self signed jars.

So I contacted my organization security team and requested a “Code signing certificate”.

Below are the steps to created your own keystore and import the code signing certificate in it to sign a jar file.

  • Generate Keystore
$ keytool -genkey -keyalg RSA -keysize 2048 -alias testKeystore -validity 365 -dname "CN=, OU=Test Unit, O=Test company, L=Johannesburg, S=Gauteng, C=SA" -keystore testKeystore.jks -storepass password -keypass password
  • Generate CSR from keystore
$ keytool -certreq -alias testKeystore -file csr.csr -keystore testKeystore.jks

Getting “code signing certificate” You can request a certificate form your organization certificate request server or buy it online.

I used my organization server, I selected “Code Signing Certificate” and pasted the contents of .csr file created above into the csr request text area.

The process will remain same for the other providers.

Once the certificate request has been approved you will get the two below files

.cer .p7b * Importing the cert into keystore ```console $ keytool -import -trustcacerts -alias testKeystore -file .p7b -keystore testKeystore.jks ``` * Use jarsigner to sign jar ```console # jarsigner -keystore -storepass $ jarsigner -keystore testKeystore -storepass password -keypass password testKeystore ``` Use maven plugin to sign jar Assuming the above created (testKeystore.jks) keystore file is stored in src/main/resources folder. ```console org.apache.maven.plugins maven-jarsigner-plugin 1.2 signinstall sign ${} *.jar ${project.basedir}/resources/mykeystore testKeystore password password ``` * Jar manifest file Your jar file should have a manifest file with permissions, trusted-library, codebase and application-name key value paris. You can use maven shade plugin to generate the jar file and add the above properties. ```console org.apache.maven.plugins maven-shade-plugin 2.1 package shade all-permissions true * Test Application ${} ``` That's it :)
This post is licensed under CC BY 4.0 by the author.